Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for managing dynamic network access control lists, comprising: receiving by one or more processors, a plurality of resource descriptions from a first data source, wherein each of the plurality of resource descriptions is associated with a plurality of computing devices in a network that comprises one or more policy enforcement point (PEPs), receiving, by the one or more processors, a policy enforcement point graph for the network from a second data source, wherein the policy enforcement point graph defines a spatial relationship between the plurality of computing devices in the network based on the plurality of resource descriptions and the one or more PEPs, generating, by the one or more processors, an access control list (ACL) based on the received plurality of resource descriptions and the policy enforcement point graph, wherein the ACL comprises at least one policy for controlling network traffic through a policy enforcement point (PEP) of the network; transmitting, by the one or more processors, the generated ACL to the PEP; and controlling, by the one or more processors, the PEP to block or deliver one or more data packets to a computing device of the network based on the ACL.
2. The method of claim 1 , wherein each of the plurality of resource descriptions comprise one or more of the following: information corresponding to an Internet Protocol (IP) definition of a computing device, information corresponding to desired access of the computing device, and information corresponding to permitted access of the computing device.
3. The method of claim 2 , wherein the information corresponding to the IP definition of the computing device comprises a query to a data source for one or more of the following: an IP address of the computing device, a domain name, or a media access controller (MAC) address.
4. The method of claim 2 , wherein the information corresponding to desired access of the computing device comprises one or more of the following: identifying information of one or more destination computing devices that the computing device wishes to connect to; identifying information of one or more services of the one or more destination computing devices that the computing device wishes to connect to; permitted protocol information corresponding to the one or more services; or permitted port information corresponding to the one or more services.
5. The method of claim 2 , wherein the information corresponding to permitted access of the computing device comprises one or more of the following: identifying information of one or more services provided by the computing device; identifying information of one or more source computing devices to which the computing device grants access permission to; permitted protocol information corresponding to the one or more services provided by the computing device; permitted port information corresponding to the one or more provided services; or a time limit for each of the one or more provided services.
6. The method of claim 1 , wherein the policy enforcement point graph defines spatial relationships between the plurality of computing devices in the network based on the plurality of resource descriptions, the PEP, and/or one or more additional PEPs.
7. The method of claim 6 further comprising: modifying the ACL based on changes to the plurality of resource descriptions and the spatial relationships between the plurality of computing devices in the network.
8. The method of claim 1 , further comprising: receiving a request for the ACL, wherein the request for the ACL is received from one or more of the following: the PEP, wherein the PEP receives communications from and sends communications to one or more ports of the plurality of computing devices in the network; a computing device in the network; or a computing device associated with a user.
9. The method of claim 8 , wherein receiving the request for the ACL comprises receiving the request from the PEP of the network in response to receiving, at the PEP, a data packet from a first computing device to be delivered to a second computing device.
10. The method of claim 9 , further comprising: receiving, at the PEP, the ACL; parsing, at the PEP, the ACL to determine whether the at least one policy allows the data packet to be delivered to the second computing device; and using results of the parsing to decide, at the PEP, whether to block or deliver the data packet to the second computing device, and in response either blocking or delivering the data packet.
11. The method of claim 9 , wherein the request for the ACL further comprises information from the data packet, and wherein the information from the data packet comprises one or more of the following: an IP address of a source computing device; an IP address of a destination computing device; a media access controller (MAC) address; a time stamp; an identifier of the PEP; protocol information; source computing device port information; or destination computing device port information.
12. The method of claim 1 , wherein using the plurality of resource descriptions and the policy enforcement point graph to generate the ACL comprises: identifying a plurality of paths between the computing devices of the network, wherein each of the plurality of paths encompasses at least one PEP on the policy enforcement point graph; using the plurality of resource descriptions to discard a subset of the plurality of paths to generate a policy enforcement point vector; and using the policy enforcement point vector to generate the ACL.
13. The method of claim 12 , wherein using the plurality of resource descriptions to discard a subset of the plurality of paths comprises, for each of the plurality of the paths: identifying a source computing device for each of the plurality of paths; identifying a destination computing device for each of the plurality of paths; using information corresponding to desired access for the source computing device and information corresponding to permitted access for the destination computing device to determine whether network traffic is allowed on a path; and discarding the path if network traffic is not allowed.
14. A system for managing dynamic network access control lists, the system comprising: a plurality of computing devices; a network comprising a plurality of point policy enforcement points (PEPs); one or more hardware processors in communication with the plurality of computing devices via the network; and a non-transitory computer-readable storage medium containing programming instructions that are configured to, when executed by the one or hardware processor, cause the one or more hardware processors to: receive a plurality of resource descriptions from a first data source, wherein each of the plurality of resource descriptions is associated with a plurality of computing devices in the network, receive a policy enforcement point graph for the network from a second data source, wherein the policy enforcement point graph defines a spatial relationship between the plurality of computing devices in the network based on the plurality of resource descriptions and the one or more PEPs, generate an access control list (ACL) based on the received plurality of resource descriptions and the policy enforcement point graph, wherein the ACL comprises at least one policy for controlling network traffic through a first policy enforcement point of the network; transmit the generated ACL to a first PEP; and control the first PEP to block or deliver one or more data packets to a computing device of the network based on the ACL.
15. The system of claim 14 , wherein each of the plurality of resource descriptions comprise one or more of the following: information corresponding to an Internet Protocol (IP) definition of a computing device, information corresponding to desired access of the computing device, and information corresponding to permitted access of the computing device.
16. The system of claim 15 , wherein the information corresponding to the IP definition of the computing device comprises a query to a data source for one or more of the following: an IP address of the computing device, a domain name, or a media access controller (MAC) address.
17. The system of claim 15 , wherein the information corresponding to desired access of the computing device comprises one or more of the following: identifying information of one or more destination computing devices that the computing device wishes to connect to; identifying information of one or more services of the one or more destination computing devices that the computing device wishes to connect to; permitted protocol information corresponding to the one or more services; or permitted port information corresponding to the one or more services.
18. The system of claim 15 , wherein the information corresponding to permitted access of the computing device comprises one or more of the following: identifying information of one or more services provided by the computing device; identifying information of one or more source computing devices to which the computing device grants access permission to; permitted protocol information corresponding to the one or more services provided by the computing device; permitted port information corresponding to the one or more provided services; or a time limit for each of the one or more provided services.
19. The system of claim 14 , wherein the policy enforcement point graph defines spatial relationships between the plurality of computing devices in the network based on the plurality of resource descriptions, the first PEP, and/or one or more additional PEPs.
20. The system of claim 19 , wherein the instructions are further configured to cause the one or more processors to: modify the ACL based on changes to the plurality of resource descriptions and the spatial relationships between the plurality of computing devices in the network.
Unknown
June 15, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.